Let's go phishing!

Everyone has at some point either got an email from someone from an obscure African country or a phone call from an Asian call centre asking for your personal details and banking information. Now while we may laugh at these very transparent attempts at identity fraud or theft, there are groups or individuals who are stealing thousands of people's data from cleverly made online traps.

This process of theft was coined as "Phishing" by a well known hacker from the mid 90's, Khan C Smith. Phishing usually takes the form of email spamming and/or scamming and can also be found over instant messaging applications.

At its core, phishing is an attempt to have internet users enter their personal details and send those off to the wide open and waiting hands of hackers and scammers. There are several different types of phishing which have been observed.

  1. Deceptive Phishing
    This is the most common type of phishing attempt. Put simply, malicious hoaxers and scammers pose as legitimate websites and/or companies and try to get you to give them your personal details (username, password etc.). They do this by sending you emails or instant messages which can look almost identical to the real websites' communications. These usually claim for your account to have an issue which requires you to follow a not-at-all-suspicious link to rectify the issue. Should you click on the link, you're whisked away to a phoney website waiting to gobble up all the information you give it and relay it back to the scammers. In fact, many of these phoney websites might even have URL's that look, at a quick glance, like the real one. Many don't, but a good phishing attempt might have a phoney website called, "www.facebooks.com" or "www.paypals.com". And how many of us are actually checking the URL's of websites we are going to, unless we put them in ourselves...

  2. Spear Phishing
    This phishing has a much more targeted approach to information theft. Where the attempt uses a person's name, company or work phone number to try squeeze out the information. This is commonly found on platforms where this information is readily available, like LinkedIn for example.

  3. CEO Fraud
    This ties into "Spear Phishing" where scammers attempt what is known as a "whaling" attack. Where they "harpoon" (target) an executive of a company and steal their data to then use to have control over everyone working under that executive in the corporate ladder. These attacks work because a lot of the time high up executives in companies don't take part in the same online security training programmes with their employees. If the scammers get access, they can abuse the exec's powers and usually aim to wire large amounts of money out of the company to a phoney bank account before taking it for themselves.

  4. Pharming
    As people have been getting better at spotting phishing attempts and smarter about online security, many scammers are now looking to ditch the "baiting" strategy and are going straight for domain name system (DNS) cache poisoning attacks. These attacks will cause users to be redirected to fake websites (to steal information) even if the user has entered the CORRECT website name.

Phishing ties into the larger category of Social Engineering, which is the psychological manipulation of human beings, usually over computers or information systems (internet). Many companies around the world have begun more intensive training for employees regarding Social Engineering online threats to security. As well as the training, there has been a growing public awareness of Social Engineering scams and in many countries there is actually legislation against phishing scammers.

So, what are some tips for avoiding getting "phished"? Well, firstly, carefully reading through any emails from banks and anything online which has any control over your personal finances. As well as being careful at how much of your personal information is available to people online. Another very good tip is to double check the URL of any webpage you find yourself browsing, to make sure you aren't under a DNS attack.

There are some websites where internet users can post phishing attempts to warn other users who might come into contact with the same or similar phishing attempts. Other users can confirm and verify these posted attempts which helps create a better awareness of Social Engineering attacks for everyone.

In conclusion, being savvy when it comes to online security is vital in our current day and age. Where increasing amounts of our personal data is being kept online and privacy is slowly becoming a thing of the past. The greatest advantage one can have is to be aware, and be cautious. It is highly unlikely that John from who-knows-where needs your banking information for anything.

Interesting video relating to primitive phishing attempts
https://www.youtube.com/watch?v=_QdPW8JrYzQ

PhishTank (User created database of current and former phishing attempts)
https://www.phishtank.com/